Channels

Services

Malware programmers start using Go

Google's Go programming language has a growing number of users and, according to a report from Symantec, that number now includes some malware writers. The company says it recently found a trojan, Encriyoko, which included Go-based components, specifically a file named GalaxyNxRoot.exe. This file is a .NET-based dropper which pretends to be a rooting tool to trick users into running it, at which point it drops and launches two programs written in Go: PPSAP.exe and adbtool.exe.

PPSAP.exe is an information-gathering trojan which appears to collect system information which is then posted to a remote site. The adbtool.exe file downloads an encrypted file, zdx.tgz, and decodes it; the downloaded file is a DLL which is loaded and run. This then attempts to encrypt, using Blowfish, many different file formats including .c, .cpp. .go, .vb, .jpg, .png, .rar, .zip, any document files with doc, xls, ppt, mdb or pdf in the name and a range of other files based on whether their extensions include strings such as mce, dw, sh or pic. The contents of the encrypted files are most probably irretrievably lost as the zdx.dll program generates a random key unless a particular file is present.

Go is a relatively young language, introduced in 2009 by Google as an alternative to classic systems languages like C, C++ or Java. The statically typed language's syntax is strongly based on C and is known for supporting concurrency as a feature native to the language. It is possible the malware authors were using the language, which has yet to enter the mainstream, because malware researchers were unlikely to be familiar with it and the code generated by its compiler.